I am using a Splunk forwarder with a main Splunk server. The forwarder is listening on udp port 1514. And is sending logs to my Splunk server on port 9997.
Everything is working as far as I can tell. On the forwarder though, I want to change the sourcetype from syslog to json_no_timestamp . When I do this though, logs do not get sent through anymore.
In case it is relevant, I am running these all as docker containers. The syslogs that are coming in are being sent from docker containers, and the forwarder and main Splunk instance are separate containers.
I am not sure where the problem could be, any input would be greatly appreciated! It's possible the issue is with the container configuration or with Splunk itself? But it does all work when set to syslog so I am not sure.
I posted a trimmed down docker-compose file and and the Splunk logs and results from splunk cmd btool inputs list
https://gist.github.com/prees1/c26a305c4e012a395c78
There doesn't appear to be anything out of place in those files, from what I can tell.
... View more